Agent  <── E2EE ──>  Gateway (you host this)  <── E2EE ──>  Browser / Desktop

• Go 1.25+

git clone https://github.com/Commands-com/gateway.git
cd gateway
cp .env.example .env

Generate a signing key and update .env:

openssl rand -base64 48

JWT_SIGNING_KEY=<paste-generated-key>
AUTH_MODE=demo

Run:

go run ./cmd/server

Verify:

curl http://localhost:8080/healthz
curl http://localhost:8080/readyz

Open the console at http://localhost:8080/console.

For use with the Commands.com Agent Workspace:

export JWT_SIGNING_KEY="$(openssl rand -hex 32)"
PORT=8091 AUTH_MODE=demo \
OAUTH_DEFAULT_CLIENT_ID=commands-desktop-public \
REDIRECT_ALLOWLIST='http://localhost:61696/callback,urn:ietf:wg:oauth:2.0:oob' \
go run ./cmd/server

1. Create a Railway project from this repo.
2. Set environment variables:

PUBLIC_BASE_URL is auto-detected from RAILWAY_PUBLIC_DOMAIN. Only set it for custom domains.

3. Deploy.
4. Visit https://<your-domain>/console.

For Google/GitHub sign-in via Firebase, add these vars:

Then add your Railway domain to Firebase Console > Authentication > Settings > Authorized domains.

No credentials file needed — OIDC validates tokens via Firebase's public JWKS.

In demo mode, the token endpoint additionally accepts the client_credentials grant and POST /gateway/v1/integrations/routes auto-registers an unknown device_id on first use. Both affordances exist so headless agents can bootstrap without a browser redirect or prior identity-key PUT. They are unavailable in any other auth mode.

When FIREBASE_API_KEY and FIREBASE_PROJECT_ID are set, the authorize page shows Google and GitHub popup sign-in buttons. Works with both firebase and oidc modes.

• Handshake: X25519 ephemeral key exchange with Ed25519 identity signatures
• Key derivation: HKDF-SHA256 with transcript hash salt, direction-split keys
• Encryption: AES-256-GCM with deterministic nonces and AAD binding
• Replay protection: Monotonic sequence enforcement, idempotency keys, transport tokens
• Frame validation: REQUIRE_ENCRYPTED_FRAMES=true by default

The gateway serves an admin console at /console:

• Dashboard — connected devices, active sessions, health status
• Devices — online/offline status, identity keys, quick session launch
• Sessions — E2E encrypted chat with agents, handshake status
• Shares — invite management, grant lifecycle, revoke controls

Authenticates through the same OAuth flow as all other clients.

Public ingress uses in-memory fixed-window rate limiting:

cmd/server          Process entrypoint
internal/app        Dependency wiring and route registration
internal/config     Environment contract and validation
internal/console    Built-in admin UI (embedded HTML)
internal/oauth      OAuth/OIDC (authorize, token, views)
internal/gateway    Device, share, session, tunnel handlers
internal/jwt        Token signing and verification
internal/idtoken    Upstream identity token verifiers
internal/health     Health/readiness handlers
docs/openapi.yaml   Endpoint contract

go test ./...

Default ALLOW_ORIGINS=* is suitable for demo mode. For production, restrict to your app's origin:

ALLOW_ORIGINS=https://app.example.com

• Contributing
• OpenAPI spec: docs/openapi.yaml
• Release checklist: docs/release.md